A container is only as secure as its image. We check your Dockerfiles for root execution, baked-in secrets, unpinned bases and other common gaps.
Run a free domain scan All checks βWe review your Dockerfiles: does the container run as root, are pinned base images used (not :latest), are secrets baked into layers, and is the attack surface minimised with multi-stage builds and small bases?
A root container that's compromised is a bigger breach than a non-privileged one. Baked-in secrets in image layers are leaks that follow every pull. Container hardening is a core control in the CIS Controls and increasingly required.
USER β running as root or non-privileged?:latest and unpinned base imagesUSER β the container runs as rootFROM ...:latest β unreproducible, drifting basesARG/ENV baked into layersDo you scan the image too?
The Dockerfile check reads your Dockerfiles. We can also scan built images for vulnerable packages as a separate step.
Is root always wrong?
Almost always unnecessary. A dedicated non-privileged user dramatically reduces the damage of a breach.
Does it run in our CI?
Yes β the check can run as a gate in your pipeline via pre-run.
Run a free scan or order a full Security Assessment β prioritised, not noise.
Run a free domain scan